OAuth 2; AML
Facebook Twitter LinkedIn

High-security & interoperable OAuth 2: What's the latest?

Combined Session
Wednesday, May 10, 2023 17:30—17:45
Location: A 03-04

OAuth is a widely used authorization framework that enables third-party applications to access resources on behalf of a user. However, it has been historically difficult to meet very high security and interoperability requirements when using OAuth. Daniel and Joseph have spent much of the last five years working to improve the state of the art and will present the latest developments in the field.

There are challenges when trying to achieve high security and interoperability with OAuth 2: Many potential threats need to be addressed, some not part of the original OAuth threat model. To seamless authorizations, optionality must be minimized OAuth itself and also in any extensions
used.

Six years ago, the IETF OAuth working group started work on the Security Best Current Practice document and more recently on OAuth 2.1. Meanwhile, the OpenID Foundation has created FAPI1 and FAPI2 security profiles.

We will introduce these specifications and help you understand the focus of each document and when to use which. We show how to achieve on-the-wire interoperability and high security through the use of techniques like asymmetric client authentication and sender-constraining via DPoP and MTLS. We highlight the benefits for implementers and the role of conformance testing tools.

High-security & interoperable OAuth 2: What's the latest?
Event Recording
High-security & interoperable OAuth 2: What's the latest?
Click here to watch the recording of this session. Please note that this video is only available to event participants and subscribers. You'll need to log in to watch it.
High-security & interoperable OAuth 2: What's the latest?
Presentation deck
High-security & interoperable OAuth 2: What's the latest?
Click here to download the slide deck. Please note that downloads are only available for event participants and subscribers. You'll need to log in to download it.
Dr. Daniel Fett
Dr. Daniel Fett
Authlete
Daniel holds a Ph.D. in Computer Science for the development of new methods for analyzing the security of web standards. Leveraging this background, he has worked for the past several years to...
Joseph Heenan
Joseph Heenan
Authlete Inc
Joseph is a software engineer & architect with over 25 years’ experience, who started writing mobile apps before mobile apps existed. He contributes to IETF and OpenID Foundation working...

Tickets

On-Demand Access
Re-live EIC 2023
€500
 
Watch 200 sessions on-demand
Download all available presentations
Subscribe for updates
Please provide your email address